Package home | Report new bug | New search | Development Roadmap Status: Open | Feedback | All | Closed Since Version 2.5.0b5

Bug #16727 MDB2 Quote Fetches URLs
Submitted: 2009-10-22 20:50 UTC
From: kingtom Assigned: quipo
Status: Closed Package: MDB2 (version 2.5.0b2)
PHP Version: 5.2.5 OS: Windows XP
Roadmaps: (Not assigned)    
Subscription  


 [2009-10-22 20:50 UTC] kingtom (Tom Tom)
Description: ------------ When passing a URL as the first parameter to $mdb2->quote, and 'clob' as the second parameter, it actually fetches the URL. Test script: --------------- print $mdb2->quote("http://www.bbc.co.uk", "clob"); Expected result: ---------------- It should print 'http://www.bbc.co.uk' Actual result: -------------- It prints the source of http://www.bbc.co.uk

Comments

 [2009-10-22 21:05 UTC] quipo (Lorenzo Alberton)
-Status: Open +Status: Closed -Assigned To: +Assigned To: quipo
Make sure the 'lob_allow_url_include' options is set to false
 [2009-10-22 21:23 UTC] kingtom (Tom Tom)
$mdb2->setOption('lob_allow_url_include', false); ??? still exhibits the same behaviour for me... Surely it should be set to false by default though, because it's a huge security hole... if you pass user input in, then they can access any file on the server - file:///etc/passwd and so on Am I missing something? :)
 [2009-10-22 21:46 UTC] quipo (Lorenzo Alberton)
-Status: Closed +Status: Feedback
it *is* false by default... I can't try now, I don't have access to my dev machine. Would you mind trying the files in SVN, and see if it's fixed there? Thanks!
 [2009-10-28 20:25 UTC] kingtom (Tom Tom)
Hi - thanks for looking into this. We're using 2.5.0b2 and it seems to be true by default on this. Not sure how to try the files in SVN?
 [2009-12-28 04:39 UTC] quipo (Lorenzo Alberton)
-Status: Feedback +Status: Closed
This bug has been fixed in SVN. If this was a documentation problem, the fix will appear on pear.php.net by the end of next Sunday (CET). If this was a problem with the pear.php.net website, the change should be live shortly. Otherwise, the fix will appear in the package's next release. Thank you for the report and for helping us make PEAR better.